The cyberattack that directory, identity, and access management company JumpCloud fell victim to in late June can be attributed to North Korean advanced persistent threat (APT) activity, cybersecurity company SentinelOne says.
JumpCloud revealed last week that the attack started on June 22 with a spear-phishing email campaign, and that it resulted in data being injected into its commands framework a few weeks later.
Attributing the incident to a “sophisticated nation-state sponsored threat actor”, the company announced that the attack was extremely targeted, focusing on a limited set of customers.
JumpCloud did not share specific information on the number of impacted customers, nor on the type of data compromised in the attack. The company provides solutions to over 180,000 organizations.
“JumpCloud recently experienced a cybersecurity incident that impacted a small and specific set of our customers. Upon detecting the incident, we immediately took action based on our incident response plan to mitigate the threat, secure our network and perimeter, communicate with our customers, and engage law enforcement,” a JumpCloud spokesperson told SecurityWeek, responding to an inquiry.
After analyzing the indicators of compromise (IoCs) that JumpCloud shared last week, SentinelOne identified links to North Korean state-sponsored activities.
“The IOCs are linked to a wide variety of activity we attribute to DPRK, overall centric to the supply chain targeting approach seen in previous campaigns,” SentinelOne says.
The IoCs that JumpCloud shared allowed the cybersecurity firm to map out the attackers’ infrastructure, identifying domains that were constructed using patterns observed in previous North Korean incidents.
SentinelOne also identified links to various NPM and ‘package’ themed infrastructure, and to infrastructure linked to the TraderTraitor campaign, the 3CX hack, and the AppleJeus operation, all attributed to North Korean hackers.
“It is evident that North Korean threat actors are continuously adapting and exploring novel methods to infiltrate targeted networks. The JumpCloud intrusion serves as a clear illustration of their inclination towards supply chain targeting, which yields a multitude of potential subsequent intrusions,” SentinelOne notes.
Related: North Korean Hackers Caught Using Malware With Microphone Wiretapping Capabilities
Related: North Korean Hackers Blamed for $35 Million Atomic Wallet Crypto Theft
Related: US, South Korea Detail North Korea’s Social Engineering Techniques